The U.S. National Security Agency (NSA), the UK’s National Cyber Security Centre (NCSC), and partners from over a dozen countries have linked the Salt Typhoon global hacking campaigns to three China-based technology firms.
According to the joint advisories [NSA, NCSC], Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. Ltd. have provided cyber products and services toChina’s Ministry of State Security and the People’s Liberation Army, enabling cyber espionage operations tracked as Salt Typhoon.
Since at least 2021, the Chinese threat actors have breached government, telecommunications, transportation, lodging, and military networks worldwide, stealing data that can be used to track targets’ communications and movements worldwide.
In particular, over the past couple of years, Salt Typhoon has performed concerted attacks on telecommunication firms to spy on the private communications of individuals worldwide.
BleepingComputer contacted the Chinese embassy about these claims and will update the story if we receive a response.
Targeting networking equipment
Ajoint advisory by cyber and intelligence agencies in 13 countries warns that the threat actors have had “considerable success” exploiting widely known and fixed flaws on network edge devices rather than relying on zero-days.
These vulnerabilities include:
- CVE-2024-21887 (Ivanti Connect Secure command injection),
- CVE-2024-3400 (Palo Alto PAN-OS GlobalProtect RCE),
- CVE-2023-20273 and CVE-2023-20198 (Cisco IOS XE authentication bypass and privilege escalation)
- CVE-2018-0171 (Cisco Smart Install RCE).
Using these flaws, the threat actors gain access to routing and network devices, allowing them to modify access control lists, enableSSH on non-standard ports, createGRE/IPsec tunnels, and exploitCisco Guest Shell containers to maintain persistence.
“The APT actors may target edge devices regardless of who owns a particular device,” explains the joint report.
“Devices owned by entities who do not align with the actors’ core targets of interest still present opportunities for use in attack pathways into targets of interest. The actors leverage compromised devices and trusted connections or private interconnections (e.g., provider-to-provider or provider-to-customer links) to pivot into other networks.”
They also collected packet captures of authentication traffic, redirected TACACS+ servers, and deployed custom Golang-based SFTP tools (“cmd1,” “cmd3,” “new2,” and “sft”) to monitor traffic and steal data.
As many of these vulnerabilities have had fixes available for some time, both the NCSC and NSA urge organizations to prioritize patching devices first, then hardeningdevice configurations, monitoring for unauthorized changes, and turning off unused services.
It is also recommended that admins restrictmanagement services to dedicated networks, enforcesecure protocols such as SSHv2 and SNMPv3, and disableCisco Smart Install and Guest Shell where not needed.
CISA has previously warned that administrators should disablethe legacy Cisco Smart Install (SMI)feature after observing it being abused in attacks by both Chinese and Russian threat actors.
Admins are also advised to actively search for signs of compromise, as the campaigns utilize known weaknesses rather than stealthy zero-days.
Salt Typhoon’s past activity
The new advisories follow years of Salt Typhoon attacks against telecommunications providers and government entities.
The group previously breached major U.S. carriers, including AT&T, Verizon, and Lumen, gaining access to sensitive communications such as text messages, voicemails, and even U.S. law enforcement’s wiretap systems.
These breaches caused the FCC to order telecoms to secure their networks under the Communications Assistance for Law Enforcement Act (CALEA) and submit annual certificationsconfirming that they have an up-to-date cybersecurity risk management plan.
Salt Typhoon also exploited unpatched Cisco IOS XE vulnerabilities to infiltrate more U.S. and Canadian telecoms, where they established GRE tunnels for persistent access and stole configuration data.
The threat actors used a custom malware known as JumbledPath to monitor and capture traffic from telecom networks.
In addition to telecom breaches, Salt Typhoon was linked to a nine-month breach of a U.S. Army National Guard network in 2024, during which they stole configuration files and administrator credentials that could be used to compromise other government networks.
